| Pit Schultz on Thu, 15 May 1997 03:30:56 +0200 (MET DST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| <nettime> The Bulgarian and Soviet Virus Factories |
The Bulgarian and Soviet Virus Factories
Vesselin Bontchev, Director
Laboratory of Computer Virology
Bulgarian Academy of Sciences, Sofia, Bulgaria
0) Abstract
It is now well known that Bulgaria is the leader in computer virus
production and the USSR is following closely. This paper tries to answer the
main questions: Who makes viruses there, What viruses are made, and Why this
is done. It also underlines the impact of this process on the West, as well
as on the national software industry.
1) How the story began
Just three years ago there were no computer viruses in Bulgaria. After all,
these were things that can happen only in the capitalist countries. They
were first mentioned in the April issue of the Bulgarian computer magazine
"Komputar za vas" ("Computer for you") [KV88] in a paper, translated from
the German magazine "Chip" [Chip]. Soon after that, the same Bulgarian
magazine published an article [KV89]], explaining why computer viruses
cannot be dangerous. The arguments presented were, correct, in general, but
the author had completely missed the fact that the majority of PC users are
not experienced programmers.
A few months later, in the fall of the same year, two men came in the
editor's office of the magazine and claimed that they had found a computer
virus. Careful examination showed that it was the VIENNA virus.
At that time the computer virus was a completely new idea for us. To make a
computer program whose performance resembles a living being, which is able
to replicate and move from computer to computer even against the will of the
user, seemed extremely exciting.
The news that "it can be done" and that even "it had been done" spread in
our country like wildfire. Soon hackers obtained a copy of the virus and
began to hack it. It was noticed that the program contains no "black magic"
and that it was even quite sloppily written. Soon new, home-made, improved
versions appeared. Some of them were produced just by assembling the
disassembly of the virus using a better optimizing assembler. Some were
optimized by hand. As a result, now there are several versions of this virus
created in Bulgaria -- versions with infective lengths of 627, 623, 622,
435, 367, 353 and even 348 bytes. The virus has been made almost two times
shorter (its original infective length is 648 bytes) without any loss of
functionality.
This virus was the first case. Soon after that, we were "visited" by the
CASCADE and the PING PONG viruses. The latter was the first boot-sector
virus and proved that this special area, present on
every diskette, can be used as a virus carrier, too. All these three viruses
were probably imported with illegal copies of pirated programs.
2) Who, What & Why.
2.1) The first Bulgarian virus.
At that time both known viruses that infected files ( VIENNA and CASCADE)
infected only COM files. This made me believe that the infection of EXE
files was much more difficult. Unfortunately, I made the mistake by telling
my opinion to a friend of mine. Let's call him "V.B." for privacy
reasons.(1) [(1) These are the initials of his real name. It will be the
same with the other virus writers that I shall mention. Please note, that
while I have the same initials (and even his full name resembles mine), we
are two different persons.] The challenge was taken up immediately and soon
after that I received a simple virus that was able to infect only EXE files.
It is now known to the world under the name of OLD YANKEE. The reason for
this is that when the virus infects a new file, it plays the "Yankee Doodle"
melody.
The virus itself was quite trivial. Its only feature was its ability to
infect EXE files. The author of this virus even distributed its source code
(or, more exactly, the source code of the program that releases it).
Nevertheless, the virus did not spread very widely and had not even been
modified a lot. Only a few sites reported to be infected by it. Probably the
reason for this was the fact that the virus was non-resident, and that it
infected files only on the current drive, so the only possibility to get
infected by it was to copy an infected file from one computer to another.
When the puzzle of creating a virus which is able to infect EXE files was
solved, V.B. lost his interest in this field and didn't write any other
viruses. As far as I know, he currently works in real-time signal processing.
2.2) The T.P. case.
The second Bulgarian virus--writer, T.P., caused much more trouble. When he
first heard the idea about a self-replicating program, he was very
interested, decided to write his own virus, and he succeeded. Then he tried
to implement a virus protection scheme and succeeded again. The next move
was to improve his virus to bypass his own virus protection, then to improve
the virus protection and so on. That is why there are currently about 50
different versions of his viruses.
Unfortunately, several of them (about a dozen) were quite "successful." They
spread world-wide. There are reports about them from all countries of the
former Eastern Bloc, as well as from the USA and West Europe. Earlier
versions of these TP viruses are known as VACSINA, because they contain such
a string. In fact, this is the name of the virus author's virus protection
program. It is implemented as a device driver with this name. The virus
merely tries to open a file with this name, which means "Hey, it's me, let
me pass."
The latest versions of the virus are best known under the name YANKEE
DOODLE, because they play this tune. The conditions on which the tune is
played are different with the different versions of the virus --- for
instance when the user tries to reboot the system, or when the system timer
reaches 5 p.m.
All TP viruses are strictly non-destructive. Their author paid particular
attention not to destroy any data. For instance, the virus does not infect
EXE files for which the true file length and the length of the loadable
part, as it is in the EXE header, are not equal. As far as I know, no other
virus that is able to infect EXE files works this way.
Also, the virus does not try to bypass the resident programs that have
intercepted INT 13h, therefore it takes the risk to be detected by most
virus activities monitoring software. The author of the virus obviously
could circumvent it --- for instance it uses a clever technique, now known
as "interrupt tracing" to bypass all programs that have hooked INT 21h. The
only reason for not bypassing INT 13h as well, is that this would also
bypass all disk caching programs, thus it could cause damage.
Of course, the fact that the virus is not intentionally destructive does not
mean that it does not cause any damage. There are several reports of
incompatibilities with other software; or of panicking users, that have
formatted their disks; or, at least, damage caused by time loss, denial of
computer services, or expenses removing the virus. It is well known that
"there ain't no such thing as a good
virus."
The TP viruses were not spread intentionally; the cause could be called
"criminal negligence." The computer used by T.P. to develop his viruses was
also shared by several other people. This is common practice in Bulgaria,
where not everyone can have a really "personal" computer to work with. T.P.
warned the other users that he is writing viruses, but at this time computer
viruses were a completely new idea, so nobody took the warning seriously.
Since T.P. didn't bother to clean up after himself, these users got, of
course, infected. Unintentionally, they spread the infection further.
When asked about the reason of writing viruses, T.P. replied that he did
this in order to try several new ideas; to better learn the operating system
and several programming tricks. He is not interested in this field any more
- he stopped writing viruses about two years ago.
2.3) The Dark Avenger.
In the spring of 1989 a new virus appeared in Bulgaria. It was obviously
"home-made" and just to remove any doubts about it, there was a string in
it, saying "This program was written in the city of Sofia (C) 1988-89 Dark
Avenger."
The virus was incredibly infectious: when it was in memory it was sufficient
to copy or just to open a file to get it infected. If a user thought there
was a virus in his/her system, and, without booting from a non-infected
write-protected system diskette, ran an anti-virus program which wasn't
aware of this new virus, he usually got all his/her executable files infected.
The idea of infecting a file when it was opened was new and really
"successful." Now such viruses are called "fast infectors." This strategy
helped the virus to spread world-wide. There are reports from all European
countries, from the USA, the USSR, even from Thailand and Mongolia.
On the top of this the virus was very dangerous and destructive. On every
16th run of an infected program, it overwrote a sector on a random place of
the disk, thus possibly destroying the file or directory that contained this
sector. The contents of the overwritten sector was the first 512 bytes of
the virus body, so even after the system has been cleaned up, there were
files containing a string "Eddie lives...somewhere in time!" This caused
much more damage than if the virus were just formatting the hard disk, since
the destruction was almost unnoticeable and when the user eventually
discovered it, his backups probably already contained corrupted data.
Soon after that, other clever viruses began to appear. Almost all of them
were very destructive. Several contained completely new ideas. Now this
person (we still cannot identify him exactly) is believed to be the author
of the following viruses:
DARK AVENGER, V2000 (two variants), V2100 (two variants), 651, DIAMOND (two
variants), NOMENKLATURA, 512 (six variants), 800, 1226, PROUD, EVIL,
PHOENIX, ANTHRAX, LEECH...
Dark Avenger has several times attacked some anti-virus researchers
personally. The V2000/V2100 viruses claim to be written by "Vesselin
Bontchev" and in fact hang the computer when any program containing this
string is run. A slightly modified variant of V2100 (V2100-B)
has been used to trojanize version 66 of John McAfee's package VIRUSCAN.
There are reports that Dark Avenger has called several bulletin board
systems in Europe and has uploaded there viruses. The reports come from the
UK, Sweden, the Netherlands, Greece... Sometimes the viruses uploaded there
are unknown in Bulgaria (NOMENKLATURA,ANTHRAX). But they are obviously made
in our country - they contain messages in Cyrillic. Sometimes Dark Avenger
uploads a Trojan program that spreads the virus - not just an infected
program. This makes the detection of the source of infection more difficult.
One particular case is when he has uploaded a file called UScan, which, when
run, claims to be the "universal virus scanner," written by Vesselin
Bontchev. Even the person who has uploaded it has logged under the name
"Vesselin Bontchev." In fact, the program just infected all scanned files
with the ANTHRAX virus.
While the other Bulgarian virus writers seem to be merely irresponsible or
childish, the Dark Avenger can be classified as a "technopath." He is a
regular user of several Bulgarian bulletin board systems, so one can easily
exchange e-mail messages with him. When asked why his viruses are
destructive, he replied that "destroying data is a pleasure" and that he
"just loves to destroy other people's work."
Unfortunately, no measures can be taken against him in Bulgaria. Since there
is no law for information protection, his activities are not illegal there.
He can be easily caught by tapping the phones of the BBSes that he uses, but
the law enforcement authorities cannot take such measures, since there is no
evidence of illegal activities. Alas, he knows this perfectly.
2.4) Lubo & Ian.
Some of the Dark Avenger's viruses proved to be very "successful" and caused
real epidemics. That is why they were often imitated by other virus writers,
that had no imagination to design their own virus, but were jealous of Dark
Avenger's fame. So they just disassembled his viruses (usually the first
one) and used parts of it - sometimes without even understanding their
purpose. Such is the case with the MURPHY viruses.
According to a string in them, they are written by "Lubo & Ian, USM
Laboratory, Sofia." These people do exist and they have used their real
names. "Lubo" has even been several times interviewed by newspaper's
reporters.
They claim that the virus was written for vengeance. They had done some
important work for their boss who later refused to pay them. That’s why, one
night, they developed the virus and released it. The fact that the virus
would spread outside the laboratory just didn't come to their minds.
However, this does not explain the developing of the other versions of the
same virus (there are at least four variants). Nevertheless, it proves one
more time that it is better (and safer, too) to pay good programmers well...
Besides MURPHY, these two virus writers have created another virus, called
SENTINEL (5 variants). The only unusual thing with this virus is that it is
written in a high-level programming language (Turbo PASCAL), but is not an
overwriting or a companion virus as most HLL viruses are. It is able to
infect COM and EXE files by appending itself to them and by preserving their
full functionality. It is also memory resident - it hides the file length
increase when the user issues the DIR command, and even mutates.
2.5) The virus writer from Plovdiv.
This man, P.D., claimed that he has written viruses "for fun" and only "for
himself" and that he "never releases them." Unfortunately, at least two of
them have "escaped" by accident. These are the ANTI- PASCAL605 and the
TERROR viruses. Especially the latter is extremely virulent and caused a
large epidemic in Bulgaria.
P.D. was very sorry for that and submitted examples of all his viruses to
the anti-virus researchers so that the respective anti-virus programs be
developed - just in case some of these viruses escapes too. These viruses
turned out to be quite a few, ranging from extremely stupid to very
sophisticated. Here are some of them:
XBOOT, ANTIPASCAL (5 variants), TINY (11 variants), MINIMAL-45, TERROR, DARK
LORD, NINA, GERGANA, HAPPY NEW YEAR (2 variants), INT13.
P.D. claims that the DARK LORD virus (a minor TERROR variant) is not written
by him. The TINY family has nothing to do with the Danish TINY virus (the
163--byte variant of the KENNEDY virus), and, as well as the MINIMAL-45
virus, are written with the only purpose to make the shortest virus in the
world.
Now P.D. is not writing viruses any more --- because, in his own words, “it
is so easy that it is not interesting.” He is currently writing anti-virus
programs - and rather good ones.
2.6) The two guys from Varna.
They are two pupils (V.P. and S.K.) from the Mathematical High School in
Varna (a town on the Black Sea). They have developed several viruses and
continue to do so, producing more and more sophisticated ones. Furthermore,
they intentionally spread their viruses, usually releasing them on the
school's computers or in the Technical University in Varna. When asked why
they write and release viruses, they reply "because it's so interesting!"
The viruses written by them are: MG (5 variants), SHAKE (5 variants), DIR
and DIR II. All of them are memory resident and infect files when the DIR
command is performed.
The last one is an extremely virulent and sophisticated virus - as
sophisticated as THE NUMBER OF THE BEAST. It is a completely new type of
virus as well - it infects nether boot sectors, nor files. Instead, it
infects the file system as a whole, changing the information in the
directory entries, so that each file seems to begin with the virus.
There is a counter of the number of infected systems in the virus body.
There is evidence that V.P. and S.K. collect infected files, copy the
contents of the counter and then draw curves of the spread of infection,
checking the normal distribution law. They are doing this "for fun."
2.7) W.T.'s case.
W.T. is a virus writer from Sofia who has written two viruses --- WWT (2
variants) and DARTH VADER (4 variants). According to his own words, he has
done so to test a new idea and to gain access to the Virus eXchange BBS (see
below).
The new idea consisted of a virus (DARTH VADER) that does not increase file
lengths, because it searches for unused holes, filled with zeros, and writes
itself there. Also, the virus does not perform any write operations.
Instead, it just waits for a COM file to be written to by DOS and modifies
the file's image in memory just before the write operation is performed.
W.T. does not write viruses any more, but he is still extremely interested
in this field. He is collecting sophisticated viruses and disassembles them,
looking for clever ideas.
2.8) The Naughty Hacker.
This virus writer, M.H., is a pupil and also lives in Sofia. He has written
several viruses, most of which contain the string "Naughty Hacker" in their
body. All of them are non-destructive, but contain different video effects -
from display desynchronization to a bouncing ball.
Currently, at least 8 different variants are isolated, but it is believed
that even more exist and are spread in the wild. Also, it is believed that
M.H. continues to produce viruses. As usual, he is doing so "because it is
interesting" and “for fun."
He is also the author of three simple boot sector viruses (BOOTHORSE and two
others that are still unnamed).
2.9) Other known virus writers.
The persons listed above are the major Bulgarian virus producers. However,
they are not alone. Several other people in Bulgaria have written at least
one virus (sometimes more). In fact, making a virus is currently considered
a kind of sport there, or a practical joke, or means of self-establishment.
Some of these virus writers have supplied their creations directly to the
anti-virus researchers, as if they are waiting for a reward. This happens
quite often - probably they expect that the anti-virus researcher, as the
best qualified person, will evaluate their creation better. Sometimes the
fact that their virus becomes known, is described, and is included in the
best anti-virus programs is sufficient for these people and they don't
bother to really spread their virus in the wild. So, probably the main
reason for these people to produce viruses is the pursuit of glory, fame,
and self-establishment.
Such known Bulgarian virus writers (with the respective names of their
viruses given in parentheses) are V.D. from Pleven (MICRO-128), A.S. and
R.D. from Mihajlovgrad (V123), I.D. from Trojan (MUTANT, V127, V270x), K.D.
from Tutrakan (BOYS, WARRIER, WARRIOR, DREAM), and others.
2.10) Unknown Bulgarian virus writers.
Of course, there are also other virus writers, that are not known to the
author of this paper. Sometimes it is possible to determine the town where
the viruses were developed - usually due to an appropriate string in the
virus body, or because the virus wasn't found elsewhere. Some of the viruses
are very simple, others are quite sophisticated. Here are examples of such
viruses.
- The KAMIKAZE virus has been detected only in the Institute of Mathematics
at the Bulgarian Academy of Sciences, Sofia and was probably made there;
- The RAT virus was made in Sofia, as is said in its body;
- The VFSI (HAPPY DAY) virus was developed in the Higher Institute of
Finances and Economics in Svishtov (a small town on the Danube) by an
unknown programmer;
- The DESTRUCTOR virus was probably made in Plovdiv, where it was first
detected;
- The PARITY virus was probably written in the Technical University, Sofia,
since it has not been detected elsewhere;
- The TONY file and boot sector viruses was probably created in Plovdiv
where it was first detected;
- The ETC virus was detected only in Sofia;
- The 1963, a quite sophisticated virus was probably made in the Sofia
University;
- The JUSTICE virus.
2.11) The Virus eXchange BBS.
About a year ago virus writing in Bulgaria entered a new phase. Virus
writers began to organize. The first step was the creation of a specialized
bulletin board system (BBS), dedicated to virus exchange. The Virus eXchange
BBS.
It's system operator (SysOp), T.T., is a student of computer science in the
Sofia University. He established the BBS in his own home. On this BBS, there
are two major kinds of files - anti-virus programs and viruses. The
anti-virus programs can be downloaded freely.
In order to get access to the virus area one has to upload a new virus.
However, anyone who uploads a new virus, gets access to the whole virus
collection. S/he could then download every virus that is already available,
or even all of them. No questions are asked - for instance the reason s/he
might need these viruses.
Furthermore, the SysOp takes no steps to verify the identity of his users.
They are allowed to use fake names and are even encouraged to do so. Dark
Avenger and W.T. are the most active users, but there are also names like
George Bush from New York, Saddam Hussein from Baghdad, Ozzy Ozbourn and
others
Since this BBS has already a large collection of computer viruses (about
300), it is quite difficult to find a new virus for it. If one wants to get
access to the virus area, it is much simpler to write a new virus than to
find a new one. That is exactly what W.T. did. The BBS, then, encourages
virus writing.
Furthermore, on this BBS there are all kinds of viruses - some of them as
1260, V2P6Z, FLIP, and WHALE are considered extremely dangerous because they
use several new ideas and clever tricks, which makes them very difficult to
recognize and remove from the infected files. And the Virus eXchange BBS
policy makes all these viruses freely available to any hacker that bothers
to download them. This will, undoubtedly, lead to the creation of more and
more such "difficult" viruses in the near future.
The free availability of live viruses has already borne its bitter fruits.
It’s helped to find viruses created far away from Bulgaria, and not widely
spread, to cause epidemics in our country. Such was the case of the DATALOCK
virus. It was created in California and uploaded to the Virus eXchange BBS.
A few weeks later it was detected in the Technical University, Sofia.
Probably one of the users of the BBS had downloaded it from there and spread
it "for fun." In the similar way the INTERNAL, TYPO and 1575 viruses entered
our country.
But the free availability of known live viruses is not the most dangerous
thing. After all, since they are already known, there already exist programs
to detect and probably to remove them. Much more dangerous is the free
availability on this BBS of virus source code! Indeed, original source code
or well commented disassemblies of several viruses are freely available on
the Virus eXchange BBS - just as any other live virus. To name a few, there
are:
DARK AVENGER, OLD YANKEE, DIAMOND, AMSTRAD, HYMN, MLTI830, MURPHY,
MAGNITOGORSK, ICELANDIC, MIX1, STONED, JERUSALEM, DATACRIME, BURGER,
ARMAGEDON, OROPAX, DARTH VADER, NAUGHTY HACKER, 512, VIENNA, 4096, FISH#6,
PING PONG, BLACK JEC, WWT, MG, TSD, BOOTHORSE, BAD BOY, LEECH...
Most of them are easily assembled sources.
The publishing of virus source code proved to be the most dangerous thing in
this field. The VIENNA, JERUSALEM, CASCADE and AMSTRAD viruses are the best
examples. Their source code was made publicly available, leading to the
creation of scores of new variants of these viruses. The known variants of
only these four viruses are about 20 % of all known viruses, which means
more than a hundred variants. One can imagine the consequences of making
publicly available the source code of all the viruses listed above. In less
than a year we probably will be submerged in thousands of new variants...
In fact, this process has already begun. The HIV, MIGRAM, KAMASYA, CEMETERY
and ANTICHRIST viruses were obviously created by someone who had access to
the source of the MURPHY virus. The ENIGMA virus is clearly based on the OLD
YANKEE code. There have been reports about infections of these viruses in
one Italian school, and an Italian virus writer, known as Cracker Jack is a
user of Virus eXchange...
The damage to the rest of the world caused by the BBS alone is big enough.
But this is not all. Since possession of "viral knowledge" (i.e., live
viruses, virus source code) has always tempted hackers, and since the
legitimate anti-virus researchers usually exchange such things only between
themselves and in a very restricted manner, it is not surprising that
similar "virus boards" began to pop up around the world. There are currently
such BBSs in the USA, Germany, Italy, Sweden, Czechoslovakia, the UK, and
the Soviet Union. Stopping their activities is very difficult in legal
terms, because the possession, storage or wilful downloading of computer
viruses usually is not considered a criminal offence. And it shouldn't be -
otherwise the anti-virus researchers themselves would not have a way to
exchange virus samples to work with.
The creation of a virus-oriented BBS, the system operator of which supports
the writing, spreading and exchanging of virus code hasn’t gone unnoticed in
Bulgaria. Almost all virus writers have obtained a modem (not very easy in
Bulgaria) and contacted it. Afterwards, they began to contact each other by
means of electronic messages on this BBS. They have even created a
specialized local conference (local for Bulgaria), in order to keep in touch
and to exchange ideas about how to write clever viruses. They’ve begun to
organize themselves - a thing that cannot be said about the international
anti-virus research community...
Origem: info.cert.org subdiretorio pub/virus-l/docs
(this text appeared not to fit into ZKP4 anymore, even after we upgraded
from 32 to 64 // thanks to some quick nonbueraucratic financial help, more
soon! /p)
---
# distributed via nettime-l : no commercial use without permission
# <nettime> is a closed moderated mailinglist for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: majordomo@icf.de and "info nettime" in the msg body
# URL: http://www.desk.nl/~nettime/ contact: nettime-owner@icf.de